EPIC Alert 9.02 [2002] EPICAlert 2

[1] Qwest Backs Down from Opt-Out Marketing Plan[2] State AGs Urged to Protect Consumers from Microsoft Passport[3] EPIC Files FOIA Suit for Profiling Records[4] FTC Proposes Telemarketing Do-Not-Call List[5] Policy Forum Debates Face Recognition Technology[6] Eli Lilly Settles with FTC over Privacy Violation[7] EPIC Bookstore - Privacy and the Information Age[8] Upcoming Conferences and Events[1] Qwest Backs Down from Opt-Out Marketing PlanQwest Communications announced on Monday that it is withdrawing itsplan to share private customer information, which was implementedduring
the December billing period. Citing numerous customerconcerns, the company has stated that it will wait until the FederalCommunications
Commission (FCC) has proposed a final rule on theissue.

This decision followed a nationwide campaign, led by EPIC, to forceQwest to change its policy. EPIC wrote to Qwest President AfshinMohebbi
in early January, urging him to suspend the plan to usetelephone-call records for marketing purposes. Others vociferouslyopposed
to the company's opt-out policy included Washington StateAttorney General Christine Gregoire, Minnesota Senator Paul Wellstone,and the Arizona Corporation Commissioners.

Qwest is the first company in the telecom industry to announce that itwill not share private customer account information until the
FCC hashad an opportunity to issue new rules on the process. SBC-Ameritechand Verizon -- both of which also implemented opt-out
plans in thelast month -- have stated no similar intention of withdrawing theirinformation-sharing plans.

The Telecommunications Act of 1996 required telecommunicationscompanies to obtain customers' approval prior to sharing customerproprietary
network information (CPNI), or data collected bytelecommunications corporations about a consumer's telephone calls,with third parties. EPIC and other privacy advocates and consumerrights groups argued that "approval" implied that a consumer had
togive positive, express consent to the sharing of information: that is,to "opt-in" to the marketing scheme. Telecommunications companiesargued that they could start from a presumption of approval, and
allowcustomers the choice to "opt-out" of the marketing program byexplicitly withdrawing their consent. In 1998, the FCC instituted
arule requiring that customers "opt-in" to the marketing program forpersonal information contained in their CPNI to be shared or
used formarketing purposes.

U.S. West (now Qwest) challenged the FCC rule in the 10th Circuitcourt of appeals, which found that the FCC had failed to provideadequate
evidence to establish that the rule furthered a substantialgovernment interest, that it materially advanced such an interest, andthat
it was narrowly tailored to serve that interest. In October2001, the FCC initiated a rulemaking procedure on the issue byrequesting
comments from all parties to create a more complete record.

EPIC initiated the campaign for opt-in by filing comments and replycomments at the FCC last November. Following Qwest's implementationof
an opt-out policy, the FCC announced that it would continue toaccept comments from consumers wishing to express their opinion inthis
ongoing debate. Consumers wishing to do so can comment by e-mailat fccinfofcc.gov or by regular mail: FCC, 445 12th St. S.W.,Washington, D.C. 20554, attn: Consumer Information Bureau. ReferenceDocket No. 96-115.

[2] State AGs Urged to Protect Consumers from Microsoft PassportEPIC sent a letter today to state attorneys general across the nationurging them to protect citizens from the privacy and security
risks ofMicrosoft Passport through the use of state laws against unfair anddeceptive trade practices.

Microsoft Passport is an online identification and authenticationsystem that enables profiling of individuals' browsing, shopping,
andcontent consumption behaviors. Microsoft officials have publiclystated that the company's goal is to have every Internet user
in thePassport system. Through tying Passport to the Windows XP operatingsystem, and to an ever-increasing number of web site registrations,Microsoft claims over 200 million Passport accounts.

Microsoft appears to have violated state laws by failing to provideadequate notice of the privacy and security risks raised by Passport.Additionally, Microsoft likely violated state laws by representingthat Passport gives users control of their data when in reality,Microsoft has control of user data.

State laws often provide broader consumer protections than federalstatutes. For instance, in California, the protection of privacyagainst
government and business interests is an inalienable right thatis embodied in the state Constitution. California has a public policyand mandate to protect consumers. Through interpretation of thismandate, the California Attorney
General, or private persons, couldinitiate a lawsuit to protect consumers from Microsoft Passport.

In two previous filings with the Federal Trade Commission (FTC),fifteen privacy and consumer protection organizations urged theCommission to investigate Microsoft Passport and related services.Since filing these complaints, there have been numerous securitybreaches in the Passport system; however, the Commission has taken
nopublic action to investigate Microsoft.

[3] EPIC Files FOIA Suit for Profiling RecordsOn January 21, EPIC asked a federal court to order the disclosure ofrecords regarding the sale of personal information to law enforcementagencies.
Government access to personal data has become morecontroversial since September 11 as anti-terrorism investigativepowers have been
expanded. In a complaint filed in federal districtcourt, EPIC charged that the Departments of Justice and Treasury haveviolated
the law by failing to respond to a series of Freedom ofInformation Act (FOIA) requests that EPIC has submitted. The FOIArequests
sought records relating to "transactions, communications, andcontracts" between law enforcement agencies and private firms that areengaged
in the sale of personal information.

The information requests were submitted in response to news reportsthat ChoicePoint, a profiling company, routinely sells personalinformation
to federal law enforcement agencies. The requests werefiled with the Federal Bureau of Investigation, the Drug EnforcementAgency,
the United States Marshals Service, the Internal RevenueService, the Immigration and Nationalization Service, and the Bureauof Alcohol,
Tobacco and Firearms.

"Through the mining of public records and the purchase of creditreporting data, private sector companies are amassing troves ofpersonal
information on citizens for the government," said EPICattorney Chris Hoofnagle, who filed the court challenge. "Seriousquestions
exist involving citizen access to profiles, their accuracy,and the potential for misuse of personal information."

Documents obtained by EPIC show that ChoicePoint and Experian, anotherprofiling company, sold the IRS credit header data, property
records,state motor vehicle records, marriage and divorce data, andinternational asset location data. IRS employees have access to thispersonal
data from their desktop computers. To facilitate the IRSaccount and access for other law enforcement agencies, ChoicePoint hascreated
a federal government web portal at http://www.cpgov.com/.

"ChoicePoint and Experian are selling profiles on citizens with littlepublic awareness or oversight," said Hoofnagle. "We need to
askourselves: who is watching the watchers?"

[4] FTC Proposes Telemarketing Do-Not-Call ListOn January 22, the Federal Trade Commission (FTC) issued a Notice of aProposed Rulemaking to amend the Telemarketing Sales Rule (TSR).
TheRule was issued in August 1995 pursuant to the Telemarketing ConsumerFraud and Abuse Prevention Act of 1994 to protect consumers
frominvasive and fraudulent telemarketing practices. It currentlyrestricts telemarketing calls to between the hours of 8:00 a.m.
and9:00 p.m., requires telemarketers to identify calls as sales calls,and prohibits deceptive or false sales pitches. The proposedamendment to the rule would create a national Do-Not-Call (DNC) listfor
individuals who wish to avoid sales calls, prohibit the use of"pre-acquired account information" in telemarketing, and prohibittelemarketers
from blocking or circumventing Caller-ID systems.

Increased protection for consumers from unwanted or fraudulenttelemarketing was included as a key part of the FTC's new privacyagenda,
which was released by Chairman Muris on October 4, 2001 (seeAlert 8.20). The move is supported by privacy and consumer advocateswho point out that Congress clearly intended the creation of anational
Do-Not-Call (DNC) list when it passed the Telephone ConsumerProtection Act of 1991. That Act authorized the FederalCommunications
Commission (FCC) to issue regulations that would allowindividuals to opt out of telemarketing calls in an efficient mannerand without
cost. Congress specifically noted that this "may requirethe establishment and operation of a single national database" oftelephone
numbers of individuals who had opted out. The FCC, however,under pressure from the Direct Marketing Association and otherindustry lobbyists, decided instead to implement a more limited systemwhereby
individuals have to opt out of calls on a company-by-companybasis.

The FTC is encouraging the public to comment on the proposed changes.Written comments will be accepted until March 29, 2002. The FTC willthen hold a public forum to discuss the issues raised during
thecomment period. Notice of intention to participate in this event mustalso be submitted before March 29, 2002.

[5] Policy Forum Debates Face Recognition TechnologyThe Cato Institute hosted a policy forum entitled "Eye in the Sky andEverywhere Else: Do Biometric Technologies Violate Our Rights?"
onJanuary 24, 2002. Forum panelists debated the role that emergingbiometric technologies could play in future society. Frances
Zelazny,Head of Corporate Communications at Visionics, one of the leadingbiometric vendors, saw face recognition technology being used foraccess
control, surveillance, background checks, and the creation ofsecure IDs. Zelazny favorably cited the example of Newham, a smallcrime-ridden
borough of London, England, where face recognitiontechnology was used in conjunction with a saturation of surveillancecameras to
reduce the crime rate. She noted that the success of thesystem depended on the quality of images enrolled in the database, theparticipation
of the subjects whose images are being captured, and thethreshold of acceptance for false positive and false negative matches.

Visionics suggests using internal privacy guidelines that include "nomatch, no memory," but seeks responsible public policy to put
in placeoversight and audit mechanisms to control the technology. DorothyDenning, professor of computer science at Georgetown University,reflected more broadly on the potential uses of biometric technology.She suggested that the use of this technology for authentication andanti-fraud purposes is relatively uncontroversial while its use
inidentification and profiling raises important public policy questions.

John Woodward, Jr., Senior Policy Analyst from RAND, echoed Visionics'call for responsible use of surveillance systems. He argued that boththe up-front deployment of the surveillance system and, moresignificantly,
the back-end databases need to be strictly regulatedwith regards to the information they collect and link with.Pre-September 11, Woodward conceded that the key question confrontingpolicymakers was whether face recognition technology should bedeployed
in public. Post-September 11, however, the question is howsuch technology can be used. Woodward believes that face recognitiontechnology
can be used effectively to "keep bad people away." He alsoargued that there is no right to privacy in the facial features oneshows
in public, and therefore face recognition technology does notimplicate any rights violation.

Marc Rotenberg, Executive Director of EPIC, took a different positionon the rights violated by new surveillance technologies. He
arguedthat these systems compel a person's identity in a public place, andthat there is a long tradition in American constitutional
law thatprotects people from such coercive action by enforcement authorities(see EPIC's amicus brief in the Watchtower Bible case).
Rotenbergdrew a parallel between new surveillance technology and wiretaptechnology in the late 1920s. While surveillance technology
is stillin its infancy, he argued that Congress needs to develop laws, as itdid for wiretaps, to limit the indiscriminate and unregulated
use ofsuch technology. Face recognition and other biometric identificationtechnologies are "Technologically Assisted Physical Searches"
(TAPS),suggested Rotenberg, and must have similar protections and oversightmechanisms as physical searches have in the law today.

[6] Eli Lilly Settles with FTC over Privacy ViolationOn January 18, the Federal Trade Commission (FTC) announced asettlement in a case involving Eli Lilly and Company's accidentaldisclosure
of the email addresses of 700 subscribers of a mentalhealth information list. The FTC acted in response to a July 2001American Civil
Liberties Union (ACLU) complaint highlighting Lilly'snegligence and requesting that the FTC take appropriate action.

This is the first settlement of its kind resulting from negligence.J. Howard Beales, III, Director of the Bureau of Consumer Protectionat the FTC, emphasized that even an unintentional release of sensitivemedical
information is a serious privacy breach. Further, the FTCalleged that claims of privacy and confidentiality found in Lilly'sprivacy
policies were deceptive due to Lilly's failure to implement asystem to adequately protect sensitive information.

While the settlement did not involve the exchange of money, it didinvolve a promise on the part of Lilly to take appropriate securitymeasures
to protect consumer privacy. Under the settlement, Lilly isspecifically required to designate personnel to coordinate and overseea
data protection program, identify risks to the security,confidentiality, and integrity of personal information, and to addressthese risks in all areas of its operations. Lilly must also
conductan annual written review to monitor compliance with the program,evaluate its effectiveness, and recommend any necessary changes.

In response to the settlement, FTC Commissioner Orson Swindle statedthat "Lilly's responsiveness and its efforts to improve corporateprivacy
practices can be a model for others to follow."

The FTC voted 5-0 to accept the proposed settlement, and anannouncement will soon be published in the Federal Register regardingthe
proposed consent agreement. The agreement will then be subject topublic comment, after which the Commission will decide whether
to makeit final.

Privacy and the Information Age is an English translation, new for2002, of Serge Gutwirth's 1998 "Privacyvrijheid." In this book,Gutwirth illustrates his thesis that privacy involves much more thanjust the protection of personal data; it is the fundamentalsafeguarding
of an individual's freedom to decide whether he/she wouldlike that data to be known or shared. Drawing on many internationalsources,
Gutwirth examines challenges to privacy posed by newtechnologies, ultimately arguing that privacy is central to personalfreedom,
and that personal freedom is central to democracy.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey
examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of
informationlaws.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who
needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested
in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand
the basic responsibilities for businesses in the online economy.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).Price: $20. http://www.epic.org/crypto&/

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption
products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption
to law enforcement.

EPIC publications and other books on privacy, open government, freeexpression, crypto and governance can be ordered at:

[8] Upcoming Conferences and Events** POSTPONED! ** First Privacy Expo 2001. Privacy & American Businessand Privacy Council. Was November 27-29, 2001; will be rescheduled
forFebruary or March 2002. Washington, DC. For more information:infopandab.org

** POSTPONED! ** Eighth Annual National "Managing the NEW PrivacyRevolution" Conference. Privacy & American Business and PrivacyCouncil.
Was November 28-29, 2001; will be rescheduled for February orMarch 2002. Washington, DC. For more information: infopandab.org

Understanding Privacy: New Laws, New Challenges. BC Freedom ofInformation and Privacy Association (FIPA). March 11-12, 2002.Vancouver, British Columbia, Canada. For more information:http://ellisriley.on.ca/fipa/

HIPAA Summit West II: The Leading Forum on Healthcare Privacy,Confidentiality, Data Security, and HIPAA Compliance. March 13-15,2002. San Francisco, CA. For more information:http://www.hipaasummit.com/

Privacy PolicyThe EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or
share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do
not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription
information". Please contact infoepic.org if you wouldlike to change your subscription email address, or if you have anyother questions.

About EPICThe Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus
public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord
privacy, and the collection and sale of personal information.EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,e-mail infoepic.org, http://www.epic.org or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible.
Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.Or you can contribute online at:

Drink coffee, support civil liberties, get a tax deduction, and learnLatin at the same time! Receive a free epic.org "sed quis custodietipsos
custodes?" coffee mug with donation of $75 or more.

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation
ofencryption and expanding wiretapping powers.